Threat Insight

CVE-2025-29927: Critical Next.js Authorization Bypass Vulnerability

Next.js has recently published security patches[1] resolving a critical authorization bypass flaw in Next.js, a React-based framework. It stems from insufficient validation of the x-middleware-subrequest header in middleware authorization checks.

  • Insight

The vulnerability permits attackers to bypass middleware-level authorization mechanisms, granting them unauthorized access to restricted parts of a Next.js application. This could lead to exposure of sensitive data or unintended functionality. An attacker could craft a request containing the x-middleware-subrequest header and send it to a vulnerable Next.js application. By manipulating the header’s value, the attacker could bypass security checks designed to restrict access. For example, they could gain access to admin-only endpoints or restricted user data.

CVE

CVE-2025-29927

Affected Products

Self-hosted Next.js applications using Middleware (next start with output: standalone) This affects you if you rely on Middleware for auth or security checks, which are not then validated later in your application. Next.js <15.2.3 Next.js <14.2.25 Next.js <13.5.9 Next.js <12.3.5

Exploitation

Exploitation in the wild has been confirmed with a publicly available PoC[2], further facilitating unauthorized access and potential misuse of vulnerable systems.

1. Upgrading to one of the patched versions (15.2.3, 14.2.25, 13.5.9, 12.3.5) of Next.js provided by the vendor.
2. Prevent external user requests containing the x-middleware-subrequest header to ensure they do not reach your Next.js application.

References

[1] https://nextjs.org/blog/cve-2025-29927
[2] https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.